Office (OLE) / .XLS malware analysis — malicious · 425f6c7d6dea44ba

MALICIOUS

Office (OLE) / .XLS

133.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: b6df54aa777e37c53e23875afcf9df6f SHA-1: 6088b463e11992f6ea7b76c368bef21723842368 SHA-256: 425f6c7d6dea44ba6a838e69af3b375b8fb428c4f2c8fcce61d42f5c9d2cff29

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file containing VBA macros, with both Auto_Open and Auto_Close subroutines present. The Auto_Open subroutine attempts to run a macro specified in cell H1 of a sheet named 'Niola'. This indicates the macro is designed to execute malicious code upon opening the document. The presence of embedded URLs suggests the macro's purpose is to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Docusign112100-9908075-0' further supports this downloader functionality.

Heuristics 5

ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://5.196.247.6/�
- http://94.140.112.149/
- http://84.246.85.196//

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.